Overview

overview

10

Static

static

3

5f8953238f...8e.exe

windows7-x64

10

5f8953238f...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2024 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe

  • Size

    4.0MB

  • MD5

    07d39a51862b3d28a806fc106134acf2

  • SHA1

    72f4f6afca8888adfaed3ea3794e3c734b2e8665

  • SHA256

    5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e

  • SHA512

    1970523761d8ee3e412718f3c9cbca8b17a1d4444c74cd658440f860861b5ea6e9688d282c51636b6e460d156a614ec0cc7bcfd8b1c0292f5993974d6960a0bd

  • SSDEEP

    98304:MBSUuZRwje/N12R6oTTbW0mK2Zvf3jtiu/aXVPOOwexy2sovFA:uS1/v2R6pm2ZDn/u5E2sovm

Score
10/10
cobaltstrike100000000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://baidu.611110.xyz:8443/jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    baidu.611110.xyz,/jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAWSG9zdDogYmFpZHUuNjExMTEwLnh5egAAAAoAAAAhUmVmZXJlcjogaHR0cDovL2JhaWR1LjYxMTExMC54eXovAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACV9fY2ZkdWlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAWSG9zdDogYmFpZHUuNjExMTEwLnh5egAAAAoAAAAhUmVmZXJlcjogaHR0cDovL2JhaWR1LjYxMTExMC54eXovAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA8AAAANAAAABQAAAAhfX2NmZHVpZAAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    45000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCou2nMjOD8CJQrE4//5qNojmlYn1wREf9dYHd3ipigkBoAJ9EonsvD82Q0ZW1DhjTYHzpxmQwhEB7G6CLlQ12ua+XdBE3oUTt/Xhh/ZwwjhmSv11WlED9Q8n5phHQqN0lgWmn9wBl0yBF9OZ1ZN/UT0w0y2WP2ViI/uA641MwC7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

  • watermark

    100000000

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Loads dropped DLL 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe
    "C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe
      "C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe"
      2⤵
      • Loads dropped DLL
      PID:636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI29922\MSVCR90.dll
    Filesize

    629KB

    MD5

    552cf56353af11ce8e0d10ee12fdcd85

    SHA1

    6ab062b709f851a9576685fe0410ff9f1a4af670

    SHA256

    e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012

    SHA512

    122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI29922\_ctypes.pyd
    Filesize

    119KB

    MD5

    f5ec0b24dfc7952241c7a86abfb61455

    SHA1

    84176ec5d9f6d106a3ac1724539dfccb7c4c6c33

    SHA256

    6c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191

    SHA512

    91fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI29922\_hashlib.pyd
    Filesize

    1.6MB

    MD5

    c94e5379dc430bc98b676260a929c1c6

    SHA1

    11305c38d58b104a2bd834925bf44930a41a416c

    SHA256

    11e2ba61c5d94999bace0bd8af8ce75dc10c2c494ebb4120367f7fc98209b61d

    SHA512

    d7fee1005cd3d652b6eb6c3569e7a6f3fa197982cfbe4807a7916f7d05f92bb5a2f5283ee095900dd97bc9a78981ad253792ae98fe509f78faf95c379b75bc20

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI29922\https.exe.manifest
    Filesize

    1KB

    MD5

    b23faae7b6a781b3ac05d62e7c13a1b6

    SHA1

    36f48cc883a3e5007f9f3c153ef5bd3cb4d44573

    SHA256

    0116dfb0aea4f3dd3d92f3aa3e1c3d9828667da79bfbd054ffe2b08742ae6563

    SHA512

    7f42f66506c3f025760dc6123f56ef603338ba23c58b155d20eca053aa41448b25e6d9afcd1114d21a11d0fea40f6982d3dc4d0cf276579f71838fe1c5409721

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI29922\python27.dll
    Filesize

    3.3MB

    MD5

    45281d04797e659305456db41a09ff44

    SHA1

    f858b38ca00a1330484019211d33171f74217ebb

    SHA256

    929187605f9dc41c38cb6886a63ee3d8629b5de6c57ad079ed53dce1ddc7c253

    SHA512

    8fa0d3bb946b50050eaa5d7bd2b227336fcba3280d793bcfd748072b8952f948ae930051fef09e4c30908a9e0f286c001d9641b828bac894060d413bc2d8d655

    Download Submit
  • memory/636-21-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/636-35-0x0000000003030000-0x0000000003130000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/636-34-0x00000000058C0000-0x0000000005D32000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/636-42-0x0000000003030000-0x0000000003130000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2992-20-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download